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Abstract 

This paper analyzes the security of a recent cryptosystem based on the ergodicity 
property of chaotic maps. It is shown how to obtain the secret key using a chosen- 
ciphertext attack. Some other design weaknesses are also shown. 
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1 Introduction 



Chaotic maps possess an ergodic behavior which makes them suitable for the 
design of new cryptosystems. This is the case of the cryptosystem proposed 
in [1] . This cryptosystem is based on the tent map and has been cryptanalyzed 
in [2] and later improved in [3] . In [4] a new modification on the original scheme 
described in [1] was proposed. The authors of this new proposal claim that 
this modification overcomes all the security problems that were emphasized 
in [2,3]. Nevertheless, in this paper we show that the ciphertext still includes 
enough information to enable a chosen-ciphertext attack based on symbolic 
dynamics. The rest of the paper is organized as follows. First of all, Sec. [2]gives 
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a brief introduction to the cryptosystem under study After that, in Sec. [3] the 
symbolic dynamics based chosen-ciphertext attack is explained. Then some 
other problems of the cryptosystem under study are discussed in Sec. EJ and 
finally the last section gives some final comments and conclusions. 



2 Description of the cryptosystem 

The cryptosystem described in [4] is based on the transformation of chaotic 
orbits into binary sequences. These chaotic orbits are generated using a one- 
dimensional chaotic map defined by 

x n+1 = /(ar„,r), (1) 

where / : I — > X and 0.5 £ I C 1. If Eq. (JT|) is iterated N times, then a 
chaotic orbit will be obtained as 

{x n }^ =0 = {x ,x 1 ,...,x N } . (2) 

The authors of [4] do not explicitly indicate if Xq is also included in the chaotic 
orbit as the first chaotic state. Without loss of generality, in this paper we will 
assume that this was included. 

Finally, the binary counterpart (i.e., the symbolic dynamics based representa- 
tion) of the original chaotic orbit is given by 

!0 , if x n < 0.5, 
(3) 
1 , if x n > 0.5, 

for < n < N. Henceforth, the binary sequence {g n (xo, r )}^=o * s n °ted as 
G n (xq, r) to emphasize its dependency with the initial condition and the con- 
trol parameter. 

The cryptosystem works as follows. 

• Step 1) Initialize % — 0, j — 0. 

• Step 2) For the z-th plain block Pj formed by hi = b bits, try to find the first 
frj-bit segment of {g n }n=j x+bi which is equal to P«; in case a segment is not 
found, let 6j = 6, — 1 and repeat this stepQ- The parameter N max indicates 
the maximum number of trials in the searching of Pj through the binary 
sequence. 

1 Note that in [4], there was a typo about bi = 6j — 1, which was published as 
"b i = b i + r. 
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• Step 3) Denoting by rti the number of iterations needed to locate the dis- 
tinguished 6j-bit segment from gj, output (&i,rij) as the z'-th cipher-block. 

• Step 4) Set i = i + 1 and j = j + n« + 6j 0, then go to Step 2 until the whole 
plaintext is exhausted. 

The decryption process is simpler than the encryption one. In this case, the 
searching process becomes unnecessary. For the recovery of the z'-th plain block, 
one simply iterates the chaotic map from the current status for nt + bi times 
and record the last bi chaotic states, which are then transformed into the z-th 
6j-bit plain block according to Eq. Q. 

In [4] it is claimed that the secret key of the cryptosystem is composed of 
the initial condition Xq and the control parameter r. For a more detailed 
description of the encryption/decryption procedures, the reader is referred 
to [4]. 



3 Chosen-ciphertext attack 

In [4] it is mentioned that most chaotic systems can be used to implement the 
above described cryptosystem. Moreover, the resistance of the cryptosystem 
against the attacks presented in [2] is assumed without any security analysis. 
However, this section proves that a wrong selection of the chaotic map allows 
an estimation of the secret key through a chosen-ciphertext attack. 

Among all the possible options, the logistic map was chosen in [4] as the 
chaotic system to prove the reliability of the cryptosystem. The logistic map 
is defined as 

x n+1 = f(x n , r) = r ■ x n ■ (1 - x n ), (4) 

for r G (3.57148,4) and x n G [0, 1]. The function f(x,r) for the logistic map 
is a concave function with only one critical point at 0.5. For this kind of maps 
the binary sequence referred in Eq. ([3]) can be interpreted as a Gray code [5,6]. 
Moreover, in [7-9] it is shown that the family of Gray codes generated using 
Eq. ([3]) can be assigned an order according to the initial condition and the 
control parameter. The existence of this order allows an estimation of the 
control parameter r and the initial condition xq just by analyzing the binary 
sequence G n (xq, r) for a sufficiently large number N. Therefore, as long as one 
can reconstruct the sequence G n (xq, r), one can estimate the secret key of the 
cryptosystem. This is used to build an attack with three different stages: 

2 In [4] it is not explicitly mentioned how to update the index j. In this paper, we 
assume that it is updated in such a way that no segment of a chaotic orbit will be 
reused for encryption of two continuous plain blocks. 
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(1) Reconstruction of the Gray code derived from the logistic map. 

(2) Estimation of the control parameter from the reconstructed Gray code. 

(3) Estimation of the initial condition from the reconstructed Gray code and 
the estimated control parameter. 

3. 1 Reconstruction of the Gray code 

If one has access to the decryption machine, then one can perform a chosen- 
ciphertext attack [10, p. 25] to reconstruct G (xo,r), i.e., the Gray code as- 
sociated to the values of Xq and r that make up the secret key of the cryp- 
tosystem under study. To do so, M ciphertexts are generated as (b, b ■ i) for 
i — 0, 1, 2, . . . , M. As an example, let us assume that x = 0.5 and r = 3.78. 
In this case, it is satisfied that 



G N (0.5, 3.78) = {1,1, 0,1, 1,0, 1,1, 1,0, 1,1, 1,1, 1,0, 1,1, 1,1, 0,1, 1,1...}. 



As a result, if we ask the decryption machine to decrypt (8, 0), then we obtain 
{1, 1, 0, 1, 1, 0, 1, 1}. Similarly, the decryption machine will return {1, 0, 1, 1, 1, 1, 1, 0} 
when the input is (8, 8), and {1, 1,1,1, 0, 1, 1, 1} when the input is (8, 16). In 
other words, the decryption of the first ciphertext returns the first b bits of 
G N (xo,r), the decryption of the second ciphertext gives the second set of b 
bits of G N (xo, r), and so on. 

3.2 Estimation of the control parameter 

If the binary sequence (i.e., the Gray code) derived from the iteration of the 
logistic map is known, then it is possible to infer the value of r based on the 
concept of Gray Ordering Number (GON). The GON was introduced in [5] 
as a way to reinterpret the main results of [11] in a more intuitive way. The 
calculation of the GON of a binary sequence G N (xo,r) involves two steps: 

• The binary sequence is transformed into another binary sequence using the 
next equation: 





if t = 



(5) 



where i = {0,1,2, . . . , N}. 
• The GON of the original binary sequence is calculated as: 



GON(G N (x , r)) = 2" 1 ■ u + 2~ 2 ■ u x + ■ ■ ■ + 2 



-iV-l 



• u N . 



(6) 
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According to [8], for any concave unimodal map with critical point equal to 
0.5 it is satisfied that 

GON(G N (f(x ,r),r)) < GON(G N (f(0.5,r),r)) (7) 

for any value of r in [3,4] and any value of Xq in [0,1]. Furthermore, the 
function GO N (G N (/ '(0 .5 , r) , r)) is an increasing function with respect to r 
(see Fig. 3(a) of [8]). These two facts are used in [8] to estimate the value of the 
control parameter r. First of all, the value GON(G n (f(0.5,r),r)), for n < N, 
is approximated as the maximum value of the GON of M different shift-left 
sequences obtained from G N (x ,r). Afterwards, the monotonic relationship 
between GON(G n (f(0.5, r), r)) and r is used to obtain an estimation of r 
through a binary search procedure. 

In order to test this algorithm, some simulations have been carried out. The 
parameter estimation errors for r = 3.9197398122739102 are shown in Fig. [TJ 
Different values of Xq and iV were considered, for a fixed length of the subse- 
quences of n = 100. Since this method is based on the approximation of the 
maximum of GON(G n (f(0.5, r), r)) through M different values, it is expected 
that the exact value of r cannot be obtained unless the value 0.5 is part of 
the chaotic orbit from which the binary sequence was calculated. Moreover, 
the characteristic dependency of chaotic maps on the initial condition makes 
the parameter estimation error depend on the value of xq, as shows in Fig. [TJ 
Nevertheless, the proposed method allows to obtain an estimation of r which 
implies a considerable narrowing of the key space and which can be further 
improved through a trial and error strategy, i.e., a brute force attack on the 
value of the control parameter in a dramatically reduced key-space. 

3. 3 Estimation of the initial condition 

In this subsection we will assume that we have obtained the exact value of r by 
using the algorithm discussed in the last subsection. Indeed, when considering 
the security of a cryptosystem, a partial knowledge of the key must not lead 
to the determination of the rest of the key [12, Rule 7]. Therefore, even if we 
were not able to estimate the value of r and obtain the exact value through 
a brute-force attack, the recovery of Xq based on the knowledge of the other 
subkey r would represent a very important flaw of the cryptosystem under 
study. 

As pointed out in [8], the GON of G N (x , r) is a monotonic increasing; function 
with respect to xq (see Fig. 1 of [8]). This means that one can obtain the 
value of xq through an iterative algorithm similar to that described in the 
last subsection. This algorithm was used to estimate the value of the initial 
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r=3.91 973981 227391 02, x =0.6 r=3.91 973981 227391 02, x =0.7 r=3.91 973981 227391 02, x =0.8 
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r=3.91 973981 227391 02, x =0.9 r=3.91 973981 227391 02, x =0.1 r=3.91 973981 227391 02, x =0.2 

-2 

10 r ■ 1 10 i ■ 1 10 




Fig. 1. Parameter estimation errors for r = 3.9197398122739102, different values of 
xq and N . 

condition from which G n (xq, r) was generated. Different values of r, xq and N 
were considered. The results are shown in Fig. [2j For all analyzed situations, a 
number of bits greater than 80 implies an estimation error below 10~ 15 . Since 
all the simulations were performed using double precision, this means that the 
exact recovery of the initial condition is possible. 



4 Other weaknesses 



In this section some other problems of the cryptosystem under study are em- 
phasized. 



4-1 Considerations about the chaotic system employed 



In [4] it is pointed out that most chaotic systems can be used to implement 
the proposed cryptosystem. However, there is no indication of the require- 
ments that a chaotic system must fulfill to determine a secure cryptosystem 
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according to the proposed encryption/decryption structure. Moreover, in the 
previous section we proved that at least a family of chaotic maps, i.e., the 
unimodal chaotic maps with fixed critical point equal to 0.5 cannot be used 
as long as a high level of security against chosen-ciphertext attack is needed. 
Furthermore, a different way should be used to generate the binary sequence 
for the encryption procedure. In the original design, this binary sequence is 
obtained by comparing each chaotic state included in a chaotic orbit with the 
fixed threshold value 0.5. Nevertheless, to ensure good statistical characteris- 
tics of the binary sequence, the threshold value should be selected according 
to the dynamics of the underlying chaotic system. 
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4-2 Considerations about the chaotic orbit generation 

The characteristics of a cryptosystem should be precisely defined in order to 
facilitate its implementation [12, Rule 1]. During the encryption step of the 
cryptosystem under consideration, the plaintext is divided into a set of binary 
sequences Pi which are successively located in the binary sequence G N (xo,r). 
It is possible that Pi is not included in G N (xo,r). In this case, the length of 
Pi is progressively decreased until it is found in G N (x ,r). Nevertheless, there 
is no information about the length of G N (xo,r), i.e., about the maximum 
number of iterations N max needed to conclude whether the length of Pi must 
be decreased. Furthermore, not only the length of G N (xo,r) is not explicitly 
established, but also some interpretation problems concerning the precise way 
of generating G N (xo,r) can be found. Fist of all, in [4] it is not mentioned 
whether the first bit of G N (xo,r) corresponds to x or to x\. On the other 
hand, once the plain block Pi has been encrypted, it is not clear whether 
the next binary sequence starts from G N (x ni ,r), G N (x ni+ i, r) or G N (x ni+ b, r). 
Note that we fixed these problems in our description of the cryptosystem given 
in Sec. |2J 



4-3 Considerations about the key space 

The inadequacy of the logistic map for the implementation of this cryptosys- 
tem has been proved by means of a ciphertext attack. However, the selection 
of this map entails another important problem that suggests not to choose 
the logistic map as a base of any cryptosytem [13]. This problem concerns the 
definition of the key space. In [4] it is claimed that the value of the control 
parameter r should be selected within the interval (3.57148...., 4) to exhibit 
a chaotic behavior. However, the existence of periodic windows in this region 
is well known (see Fig. [3]) and so the selection of r should be performed in a 
more precise manner in order to avoid these [12, Rule 5]. 



5 Conclusions 

Some weaknesses of the chaotic cryptosystem described in [4] have been dis- 
cussed in this paper. A chosen-ciphertext attack has been described, which 
can recover the secret key of the cryptosystem by exploiting the theory of 
symbolic dynamics. Some other problems related to the design of the cryp- 
tosystem have also been pointed out. As a result, we recommend not to use 
this algorithm for secure applications. 
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Fig. 3. Bifurcation diagram of the logistic map showing the existence of periodic 
windows. 
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